PDA

View Full Version : trojan Win32.TDSS.rtk found



redrumgalaxy
2009-05-29, 08:39
This is my first post here, I hope someone can help,

I noticed my browser started redirecting and spybot, avg wouldn't start up, they were present in the task manager but the interface would not appear. I downloaded superantispyware, malwarebytes antimalware and hijackthis and although they installed would not start. In safe mode I changed .exe names it made no difference. On rebooting to normal, no network services were present, machine thought it was still in safe mode, so reboot with last known working settings. I backed up my reg with ERUNT and I ran GMER. When it completed I had no option to save/copy a log as these buttons were no longer on the interface. I ran it again, when igot back to my machine it had rebooted saying it had recovered from a serious error. I shut down AVG watchdog and immediately spybot started up, I scanned and it found a trojan Win32.TDSS.rtk. Which i asked it to fix. I then ran GMER again. Again no log able to be prduced but thanks to pen and paper here are what i thought was most relavent at this stage:

Library \\global root\sytemroot\system32\gxvckirvkdqvssrpnxrdoetswnbippltqwga(***Hidden***)@c:\windows\system32\svchost.exe[480] value= 0x10000000
Service c:\windows\system32\drivers\gxvxctmxehbbmurumlxwkiappamienwxjotp.sys(***Hidden***)value=[system]gxvxcserv.sys
c:\windows\system32\drivers\gxvxctmxehbbmurumlxwkiappamienwxjotp.sys
c:\windows\system32\gxvxccount
c:\windows\system32\gxvckirvkdqvssrpnxrdoetswnbippltqwga.dll
c:\windows\system32\gxvxttcxjoxtqwwykjfmuoyquevkounbprys.dll

HKLM\SYSTEM\controlset001\services\gxvxserv.sys
HKLM\SYSTEM\controlset001\services\gxvxserv.sys@start
HKLM\SYSTEM\controlset001\services\gxvxserv.sys@type
HKLM\SYSTEM\controlset001\services\gxvxserv.sys@image path
HKLM\SYSTEM\controlset001\services\gxvxserv.sys@group
HKLM\SYSTEM\controlset001\services\gxvxserv.sys\modules
HKLM\SYSTEM\controlset001\services\gxvxserv.sys\modules@gxvxserv
HKLM\SYSTEM\controlset001\services\gxvxserv.sys\modules@gxvxcl
HKLM\SYSTEM\controlset001\services\gxvxserv.sys\modules@gxvxcclk

this repeats through contol set 002,003,004

Also:
software\microsoft\windows\currentversion\internetsettings\zonemap\domains\ list of websites
software\microsoft\windows\currentversion\internetsettings\zonemap\escdomains\ list of websites

Did HJT again:


Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:01:56, on 29/05/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\oodtray.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\SUPERAntiSpyware\1fc69c74-fced-4e96-9d38-d548eda3f849.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\8DK3A0NF5K3SLOP23.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [DVD43] C:\PROGRA~1\DVDREG~1\DVDRegionFree.exe /hidden
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [UVS12 Preload] C:\Program Files\Corel\Corel VideoStudio 12\uvPL.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [OODefragTray] C:\WINDOWS\system32\oodtray.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SsAAD.exe] "C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\dhdhdhasoq0129kqlapp;KQIUWLAP.exe"
O4 - HKCU\..\Run: [Rapportexe] "C:\Program Files\Trusteer\Rapport\bin\RapportService.exe" -start -after_boot
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [AtiTrayTools] "C:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\1fc69c74-fced-4e96-9d38-d548eda3f849.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\blueyonder-istconfig.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/plugin/IEGetPlugin.ocx
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1216556716400
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229683489652
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229683480288
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--
End of file - 8960 bytes

I then ran ComboFix


ComboFix 09-05-28.02 - Join 29/05/2009 0:44.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.1023.486 [GMT 1:00]
Running from: c:\documents and settings\Join\Desktop\hsywjwj90eoied098ea8098.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Join\APPLIC~1\inst.exe
c:\windows\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gxvxcserv.sys


((((((((((((((((((((((((( Files Created from 2009-04-28 to 2009-05-28 )))))))))))))))))))))))))))))))
.

2009-05-28 23:23 . 2009-05-28 23:23 -------- d-----w c:\docume~1\Join\APPLIC~1\Malwarebytes
2009-05-28 06:35 . 2009-05-28 06:35 -------- d-----w C:\ERDNT
2009-05-28 06:34 . 2009-05-28 06:34 -------- d-----w c:\program files\ERUNT
2009-05-28 06:02 . 2009-05-28 06:02 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-05-27 22:40 . 2009-05-27 22:40 -------- d-----w C:\gmer
2009-05-27 22:25 . 2009-05-27 22:25 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\KodakGallery
2009-05-27 22:25 . 2009-05-27 22:25 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Apple Computer
2009-05-27 12:06 . 2009-05-26 12:20 40160 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-27 12:06 . 2009-05-28 06:02 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-27 12:06 . 2009-05-27 12:06 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-27 12:06 . 2009-05-26 12:19 19096 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-27 12:06 . 2009-05-27 12:06 3371384 ----a-w C:\mb.exe
2009-05-27 11:12 . 2009-05-27 11:12 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-27 11:11 . 2009-05-27 11:12 -------- d-----w c:\program files\SUPERAntiSpyware
2009-05-27 11:11 . 2009-05-27 11:11 -------- d-----w c:\docume~1\Join\APPLIC~1\SUPERAntiSpyware.com
2009-05-27 10:36 . 2009-05-28 07:35 -------- d-----w c:\program files\Autorun Eater
2009-05-26 22:38 . 2009-05-27 09:06 -------- d-----w c:\program files\Flight One Software
2009-05-18 10:45 . 2009-05-18 10:45 -------- d-----w c:\program files\Microsoft Games
2009-05-17 20:14 . 2009-05-17 20:14 -------- d-----w c:\program files\OO Software
2009-05-17 17:12 . 2009-05-17 17:12 -------- d-----w c:\documents and settings\All Users\Application Data\InstallShield
2009-05-17 17:11 . 2009-05-17 17:11 -------- d-----w c:\program files\Jasc Software Inc
2009-05-17 17:11 . 2009-05-17 17:11 -------- d-----w c:\docume~1\Join\APPLIC~1\Jasc Software Inc
2009-05-17 15:55 . 2009-05-17 15:56 -------- d-----w c:\program files\Raxco
2009-05-17 15:54 . 2009-05-17 15:54 57080 ----a-w C:\cc_20090517_165400.reg
2009-05-17 14:50 . 2009-05-17 14:50 -------- d-----w c:\program files\Installer
2009-05-17 13:14 . 2009-05-17 13:14 -------- d-----w c:\documents and settings\Zoe\Application Data\Trusteer
2009-05-17 12:59 . 2009-05-17 12:59 422 ----a-w C:\cc_20090517_135932.reg
2009-05-17 12:59 . 2009-05-17 12:59 346604 ----a-w C:\cc_20090517_135915.reg
2009-05-17 12:56 . 2009-05-17 12:56 87310 ----a-w C:\cc_20090517_135646.reg
2009-05-17 12:54 . 2009-05-17 12:54 -------- d-----w c:\documents and settings\Zoe\Application Data\Nero
2009-05-17 12:52 . 2009-05-17 12:52 182 ----a-w C:\cc_20090517_135249.reg
2009-05-17 12:52 . 2009-05-17 12:52 71224 ----a-w C:\cc_20090517_135218.reg
2009-05-17 12:50 . 2009-05-17 12:51 370250 ----a-w C:\cc_20090517_135027.reg
2009-05-17 12:39 . 2009-05-17 12:39 -------- d-----w c:\documents and settings\Administrator\Application Data\Yahoo!
2009-05-17 12:39 . 2009-05-17 12:49 -------- d-----w c:\program files\CCleaner
2009-05-17 12:32 . 2009-05-17 12:32 3227248 ----a-w C:\ccsetup219.exe
2009-05-17 11:20 . 2009-05-17 11:20 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\O&O
2009-05-17 11:19 . 2009-05-17 11:19 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Ahead
2009-05-17 11:19 . 2009-05-17 11:19 -------- d-----w c:\documents and settings\Administrator\Application Data\Ulead Systems
2009-05-17 11:19 . 2009-05-17 11:19 -------- d-----w c:\documents and settings\Administrator\Application Data\Nero
2009-05-17 00:08 . 2009-05-17 00:08 -------- d--h--w c:\windows\PIF
2009-05-16 16:57 . 2009-05-17 22:50 -------- d-----w c:\windows\system32\oodag
2009-05-16 16:51 . 2009-05-16 16:51 -------- d-----w c:\documents and settings\Join\Local Settings\Application Data\O&O
2009-05-16 14:05 . 2009-05-16 14:06 -------- d-----w c:\program files\Ray Adams
2009-05-15 17:41 . 2009-05-15 17:41 -------- d-----w c:\docume~1\Join\APPLIC~1\Flight1
2009-05-15 17:10 . 2009-05-15 17:10 -------- d-----w c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2009-05-15 17:10 . 2009-05-15 17:10 -------- d-----w c:\documents and settings\Join\Local Settings\Application Data\Downloaded Installations
2009-05-15 17:09 . 2009-05-15 17:10 -------- d-----w c:\docume~1\Join\APPLIC~1\GetRightToGo
2009-05-15 14:57 . 2009-05-15 14:57 -------- d-----w c:\documents and settings\All Users\Application Data\Saitek
2009-05-15 14:05 . 2009-05-15 14:12 -------- d-----w c:\program files\Addit! Pro FS 2004
2009-05-14 12:50 . 2009-05-14 12:51 -------- d-----w c:\program files\Common Files\Nero
2009-05-14 12:18 . 2009-05-14 12:18 -------- d-----w c:\documents and settings\Join\Local Settings\Application Data\Nero
2009-05-14 11:43 . 2009-05-14 11:43 -------- d-----w c:\docume~1\Join\APPLIC~1\Nero
2009-05-14 11:40 . 2009-05-14 12:50 -------- d-----w c:\documents and settings\All Users\Application Data\Nero
2009-05-14 11:40 . 2009-05-14 11:40 -------- d-----w c:\program files\Nero
2009-05-12 13:32 . 2009-05-21 09:37 -------- d-----w c:\program files\VisualFlight
2009-05-10 18:42 . 2009-05-10 18:45 -------- d-----w c:\program files\Instant Scenery
2009-05-09 00:24 . 2009-05-09 00:24 -------- d-----w c:\program files\Western Digital
2009-05-05 10:00 . 2009-05-07 20:03 -------- d-----w c:\documents and settings\Join\FileDownloader
2009-05-05 10:00 . 2009-05-27 22:09 -------- d-----w c:\program files\FDN
2009-04-29 11:11 . 2009-04-29 11:11 -------- d-----w c:\docume~1\Join\APPLIC~1\Yahoo!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-28 19:07 . 2008-07-28 09:31 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-28 19:06 . 2008-07-28 09:31 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-28 06:22 . 2009-05-28 06:22 862560 ----a-w c:\windows\system32\rn.tmp
2009-05-27 22:10 . 2007-07-04 09:25 -------- d-----w c:\program files\MySpace
2009-05-27 12:00 . 2008-09-22 12:45 -------- d-----w c:\documents and settings\All Users\Application Data\Avg8
2009-05-27 11:59 . 2008-09-22 13:03 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-05-27 11:59 . 2008-09-22 13:03 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-05-27 11:59 . 2008-09-22 13:03 27784 ----a-w c:\windows\system32\drivers\avgmfx86.sys
2009-05-27 11:05 . 2008-02-04 14:02 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-05-21 10:21 . 2009-01-05 10:53 35296 ----a-w c:\windows\system32\drivers\Dvd43.sys
2009-05-19 05:42 . 2007-10-14 16:27 65592 ----a-w c:\documents and settings\Zoe\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-17 16:12 . 2006-03-18 13:53 721904 ----a-w c:\windows\system32\drivers\sptd.sys
2009-05-17 14:26 . 2006-04-17 02:14 -------- d-----w c:\program files\Yahoo!
2009-05-17 13:01 . 2006-03-18 10:43 65592 ----a-w c:\documents and settings\Join\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-16 13:12 . 2006-03-18 13:01 -------- d--h--w c:\program files\InstallShield Installation Information
2009-05-15 13:25 . 2009-01-22 10:21 -------- d-----w c:\program files\Microsoft Silverlight
2009-05-14 11:30 . 2006-03-18 15:25 -------- d-----w c:\program files\Common Files\Ahead
2009-05-10 18:42 . 2006-05-15 09:58 737280 ----a-w c:\windows\iun6002.exe
2009-04-29 12:00 . 2006-11-03 18:31 -------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2009-04-29 03:11 . 2009-04-26 18:06 286720 ----a-w c:\windows\iun506.exe
2009-04-28 05:25 . 2009-04-28 05:21 -------- d-----w c:\docume~1\Join\APPLIC~1\U3
2009-04-25 10:00 . 2009-04-25 10:00 -------- d-----w c:\documents and settings\Zoe\Application Data\Ulead Systems
2009-04-11 10:29 . 2006-03-18 13:03 1100 ----a-w c:\windows\system32\d3d8caps.dat
2009-04-11 10:17 . 2006-09-30 10:28 -------- d-----w c:\program files\MultiRes
2009-04-11 10:17 . 2006-09-30 10:28 -------- d-----w c:\program files\Radeon Omega Drivers
2009-04-08 00:41 . 2009-04-08 00:41 1316096 ----a-w c:\windows\system32\ooscrsav.scr
2009-04-08 00:41 . 2009-04-08 00:41 730368 ----a-w c:\windows\system32\oodsvct.exe
2009-04-08 00:40 . 2009-04-08 00:40 1377536 ----a-w c:\windows\system32\oodag.exe
2009-04-08 00:39 . 2009-04-08 00:39 2553088 ----a-w c:\windows\system32\oodtray.exe
2009-04-08 00:39 . 2009-04-08 00:39 194816 ----a-w c:\windows\system32\oodbs.exe
2009-04-08 00:35 . 2009-04-08 00:35 951552 ----a-w c:\windows\system32\oodtrrs.dll
2009-04-08 00:35 . 2009-04-08 00:35 541952 ----a-w c:\windows\system32\oodssrs.dll
2009-04-08 00:34 . 2009-04-08 00:34 9984 ----a-w c:\windows\system32\oodbsrs.dll
2009-04-08 00:34 . 2009-04-08 00:34 8448 ----a-w c:\windows\system32\OODAGRS.DLL
2009-04-08 00:34 . 2009-04-08 00:34 15616 ----a-w c:\windows\system32\OODAGMG.DLL
2009-04-07 14:00 . 2009-04-07 14:00 37896 ----a-w c:\windows\system32\drivers\oobctm.sys
2009-04-07 13:59 . 2009-04-07 13:59 15104 ----a-w c:\windows\system32\ootmapi.dll
2009-03-09 08:10 . 2009-03-09 08:10 472576 ----a-w c:\windows\Radeon Omega Drivers v4.8.442 Uninstall.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Rapportexe"="c:\program files\Trusteer\Rapport\bin\RapportService.exe" [2009-03-24 972008]
"Window Washer"="c:\program files\Webroot\Washer\wwDisp.exe" [2007-11-26 1206600]
"AtiTrayTools"="c:\program files\Ray Adams\ATI Tray Tools\atitray.exe" [2008-09-15 585728]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-03-18 4363504]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\1fc69c74-fced-4e96-9d38-d548eda3f849.exe" [2009-05-26 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"NVMixerTray"="c:\program files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-06-03 131072]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2005-12-10 133016]
"DVD43"="c:\progra~1\DVDREG~1\DVDRegionFree.exe" [2006-10-26 258560]
"PinnacleDriverCheck"="c:\windows\system32\\PSDrvCheck.exe" [2004-03-11 406016]
"UVS12 Preload"="c:\program files\Corel\Corel VideoStudio 12\uvPL.exe" [2008-06-09 397456]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-12-02 2221352]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-11-06 570664]
"OODefragTray"="c:\windows\system32\oodtray.exe" [2009-04-08 2553088]
"SsAAD.exe"="c:\progra~1\Sony\SONICS~1\SsAAD.exe" [2006-01-07 81920]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-27 1947928]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SpybotSnD"="c:\program files\Spybot - Search & Destroy\dhdhdhasoq0129kqlapp;KQIUWLAP.exe" [2009-01-26 5365592]
"AtiPTA"="atiptaxx.exe" - c:\windows\system32\atiptaxx.exe [2006-02-22 344064]

c:\documents and settings\Join\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= "c:\progra~1\DVDREG~1\DVDShell.dll" [2004-10-09 49152]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-27 11:59 11952 ----a-w c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"PhotoShow Deluxe Media Manager"=c:\progra~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"SsAAD.exe"=c:\progra~1\Sony\SONICS~1\SsAAD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\FlashFXP\\flashfxp.exe"=
"c:\\Program Files\\InterVideo\\DVD7\\WinDVD.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Sony\\Media Manager for PSP 2.0\\MediaManager.exe"=
"c:\\Program Files\\Sony Ericsson\\Sony Ericsson Media Manager 1.0\\MediaManager.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Sony Ericsson\\Update Service\\Update Service.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"=
"c:\\Program Files\\Microsoft Games\\Flight Simulator 9\\fs9.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\Common Files\\Nero\\Nero Web\\SetupX.exe"=

R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);c:\windows\system32\drivers\sfsync03.sys [06/12/2005 16:11 35328]
R0 SI3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [12/01/2006 12:56 102528]
R0 SiWinAcc;SiWinAcc;c:\windows\system32\drivers\SiWinAcc.sys [18/03/2006 10:07 10368]
R1 atitray;atitray;c:\program files\Ray Adams\ATI Tray Tools\atitray.sys [08/09/2008 19:32 18336]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [22/09/2008 14:03 325896]
R1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [24/03/2009 16:35 56808]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [24/03/2009 16:35 89192]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [26/05/2009 10:05 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [26/05/2009 10:05 72944]
R2 wwEngineSvc;Window Washer Engine;c:\program files\Webroot\Washer\WasherSvc.exe [17/01/2009 11:47 598856]
R3 Dvd43;Dvd43;c:\windows\system32\drivers\Dvd43.sys [05/01/2009 11:53 35296]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [26/05/2009 10:05 7408]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [07/03/2008 17:21 10976]
S3 SaiHFF0C;SaiHFF0C;c:\windows\system32\DRIVERS\SaiHFF0C.sys --> c:\windows\system32\DRIVERS\SaiHFF0C.sys [?]
S3 SaiHFF12;SaiHFF12;c:\windows\system32\drivers\SaiHFF12.sys [26/07/2004 12:54 132232]
S3 SaiIFF12;Immersion's HID USB Driver (FF12);c:\windows\system32\drivers\SaiIFF12.sys [01/05/2007 15:34 16256]
S3 SaiNtSub;SaiNtSub;c:\windows\system32\DRIVERS\SaiNtSub.sys --> c:\windows\system32\DRIVERS\SaiNtSub.sys [?]
S3 SaiUFF0C;SaiUFF0C;c:\windows\system32\DRIVERS\SaiUFF0C.sys --> c:\windows\system32\DRIVERS\SaiUFF0C.sys [?]
S4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [22/09/2008 14:03 298776]
.
Contents of the 'Scheduled Tasks' folder

2009-05-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-06-03 13:42]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
HKCU-Run-PhotoShow Deluxe Media Manager - c:\progra~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
HKLM-Run-VVSN - c:\program files\VVSN\VVSN.exe
HKLM-Run-Sony Ericsson PC Suite - c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
HKLM-Run-SaiSmart - c:\program files\Saitek\Software\SaiSmart.exe
HKLM-Run-PWRISOVM.EXE - c:\program files\PowerISO\PWRISOVM.EXE
HKLM-Run-Profiler - c:\program files\Saitek\Software\Profiler.exe
HKLM-Run-Motive SmartBridge - c:\progra~1\BLUEYO~1\SMARTB~1\blueyonder-istnotifier.exe
HKLM-Run-kdx - c:\program files\Kontiki\KHost.exe
HKLM-Run-Adobe Photo Downloader - c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
HKLM-Run-NWEReboot - (no file)
SafeBoot-procexp90.Sys
SafeBoot-svcWRSSSDK


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = 127.0.0.1
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-29 00:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-73586283-842925246-1343024091-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:c8,28,51,af,b0,29,a3,98,9a,e4,bb,60,47,
87,d7,26,e2,63,26,f1,3f,c8,ff,68,63,2a,c3,f2,59,cb,62,0a,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,11,41,c6,8a,eb,
26,46,cf,6a,9c,d6,61,af,45,84,18,d6,b3,f4,50,bc,d5,cb,60,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0,43,d4,0e,fe,df,17,8f,c3,1e,
12,fa,a8,ff,7c,85,e0,43,d4,0e,fe,e7,57,dc,59,7c,87,6e,e1,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:3e,1e,9e,e0,57,5a,93,61,b1,3a,74,7a,25,
aa,cb,f1,86,8c,21,01,be,91,eb,e7,32,39,03,ef,29,af,3e,53,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:cd,44,cd,b9,a6,33,6c,cd,5e,02,2a,fe,61,
c0,0e,d9,f5,1d,4d,73,a8,13,5c,05,2a,f5,c1,af,49,66,bb,9f,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,0d,40,b9,4f,0d,
31,ff,47,df,20,58,62,78,6b,cf,c8,89,d8,aa,f1,52,7e,3a,19,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,43,e5,e9,c9,7b,
3b,c6,80,fb,a7,78,e6,12,2f,9a,ea,07,13,54,91,35,22,c8,0d,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:01,3a,48,fc,e8,04,4a,f1,47,2f,db,ee,aa,
1b,c9,9f,01,3a,48,fc,e8,04,4a,f1,c8,44,49,7c,e7,3b,7f,11,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:b2,46,9a,e2,1b,fe,1b,94,cd,55,bd,eb,18,
f4,a2,18,f6,0f,4e,58,98,5b,89,c9,4c,a1,2b,03,68,eb,b5,aa,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,77,51,35,82,ae,
dc,e9,65,3d,ce,ea,26,2d,45,aa,78,cb,db,f9,f4,eb,c7,c0,ae,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,f3,f2,aa,00,40,
1e,24,12,2a,b7,cc,b5,b9,7f,41,e7,6d,e8,71,81,93,02,50,bb,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,21,5a,ef,76,25,
0f,0c,4c,6c,43,2d,1e,aa,22,2f,9c,5c,cb,31,5b,3d,9b,83,1c,6c,43,2d,1e,aa,22,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG11.00.00.01WORKSTATION"="CB13FD5066FD5D6A28C0B99920CD2E0915AF363120CD364435EBD25113DDA19E6D9CB92ECA3BA2DC63E5A88E7367A1E75FE08F7511AB47456E217ADDCF27CB90DBCE4F0626691D977D48DAC745255773C6DB2E83D6EE0342B68D471C93082A670BEC91021ABE455D4D7CB0C82B60621528FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC79335D575E7D6A3B9808A6171C11EC38DE3D8EDD5E5BE2F6E6673DE30C0EEF57E46B1C07B56B873A96BFE9976F657B49939C79AF4AA5ADAF5FD80D1D8ACBF5C8BE9FC130449B8FD7984589D205FC988366EEAB7C8C4B9D36B812DA681AF9BE39CC32E2A2458154ACA6055768E61FB8CB4C4EDED2996B8C0405A507CF3DB21B532775AC7613AAC88384D4F01BEBF08EA953B542BFDFDE8BFBB6556FD29823A0F84E0CCFB6ACBAA1D9D960F9228AAA91D46A728ACAEE1274B4A9B37962F710283E23EF02E2366AD96131A3182B5D977DBDE6296EEB7C88E27B99A98E64C84DCFEB6D6EFE6D7583AEFD7AF1F655A6185086014F2A11E055B6CEA9F11BB31CC6F67DD5A681BC57E6A34C89F045B449214E8555AF7D9A19A216E15D9C8E9DA6F94425EC8FCD2C67867D171598B4D04D3B7D46636A2B5D47ADE51D9F0D5FE345F8A046A370A70C5A694761B9B87B275E01A90610EFFBA12EC7D49B3DFB843D746AB879D066591E072BCEDFF47156264CA4E138240A3AA6375652ACE7F4FBD356887D0CAEE1B019697CA67C2B3A82B30B6979824B51371C70D112D3B4D746C431A1A5FDDBA77FA91E1E25D4A4DBC226B2A786BF16B4C4268A480D499C5767A36D18A7035A521B6D6969633A0BF35EC9FE4CE600F9783CDF59DAFEF7FDFC677499624484114C5D77B249C0326FF31FDED0D53682CEB0F855D63FE78099A2D3B2688A799FC957A3CF033C5EF644A3541A2A5B5A414F4BD986203E8BB415793ECCAF2E8DA33308CF708BD523F4609AD0A2348279641E05426AF3B4F31D7905B9A268808995DF4847C81E3E39CD01476A14BB89FDCB3F719BE8B9956A74B51C600C31C7BBAE4752F33CB1AF0E57C36CFB802EBF98899AF64F5E79E301AB98EACDD34BDDB35AC139C321DF79531C2D9E65E9A1893C637CD04F9C603A0CE45A7323359DB0473A8EE12843E97F805824C886C84D5E9ED5950D8D693EC423F791868364B1C38F21D0829660B1B7507E7427C90A0CCB3B8CF98F02FC09C622713E4C9987342CE9998E2B882DBD30BE33CC4C178CDF72526DA20EA805591429103F4212B6F81576DEB0BAFB4FB9058F50411E5DA4EA85670C6B9381A1EB169CC65C361C02F43C9B6208E57263746B48E24856109AF54CBFB494FE8F67224AA5BE3E4E6D6AC1F303C7C536F1F65FAAB3ADBF8326AAEC26E7654303D96000C2AED071"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(752)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2680)
c:\program files\Ray Adams\ATI Tray Tools\raphook.dll
c:\program files\Trusteer\Rapport\bin\rooksbas.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\CTSVCCDA.EXE
c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\program files\AVG\AVG8\avgtray.exe
c:\windows\system32\oodag.exe
c:\windows\system32\IoctlSvc.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe
c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\wscntfy.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
c:\windows\system32\control.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-05-28 0:53 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-28 23:53

Pre-Run: 101,794,185,216 bytes free
Post-Run: 101,695,668,224 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Current=4 Default=4 Failed=3 LastKnownGood=5 Sets=1,2,3,4,5
360 --- E O F --- 2008-07-20 12:21




2009-05-28 18:45:27 . 2009-05-28 23:41:59 204 ----a-w C:\Qoobox\Quarantine\catchme.log
2008-12-14 15:45:13 . 2008-12-14 15:45:13 87,608 ----a-w C:\Qoobox\Quarantine\C\DOCUME~1\Join\APPLIC~1\inst.exe.vir
2009-05-28 06:22:28 . 2009-05-28 23:31:40 270 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job.vir
2009-05-28 23:52:48 . 2009-05-28 23:52:48 172 ----a-w C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-PhotoShow Deluxe Media Manager.reg.dat
2009-05-28 23:52:48 . 2009-05-28 23:52:48 189 ----a-w C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-updateMgr.reg.dat
2009-05-28 23:52:50 . 2009-05-28 23:52:50 292 ----a-w C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-Adobe Photo Downloader.reg.dat
2009-05-28 23:52:50 . 2009-05-28 23:52:50 136 ----a-w C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-kdx.reg.dat
2009-05-28 23:52:50 . 2009-05-28 23:52:50 165 ----a-w C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-Motive SmartBridge.reg.dat
2009-05-28 23:52:50 . 2009-05-28 23:52:50 97 ----a-w C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-NWEReboot.reg.dat
2009-05-28 23:52:50 . 2009-05-28 23:52:50 148 ----a-w C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-Profiler.reg.dat
2009-05-28 23:52:50 . 2009-05-28 23:52:50 144 ----a-w C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-PWRISOVM.EXE.reg.dat
2009-05-28 23:52:50 . 2009-05-28 23:52:50 148 ----a-w C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-SaiSmart.reg.dat
2009-05-28 23:52:50 . 2009-05-28 23:52:50 216 ----a-w C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-Sony Ericsson PC Suite.reg.dat
2009-05-28 23:52:50 . 2009-05-28 23:52:50 124 ----a-w C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-VVSN.reg.dat
2009-05-28 23:52:57 . 2009-05-28 23:52:57 562 ----a-w C:\Qoobox\Quarantine\Registry_backups\SafeBoot-procexp90.Sys.reg.dat
2009-05-28 23:52:58 . 2009-05-28 23:52:58 554 ----a-w C:\Qoobox\Quarantine\Registry_backups\SafeBoot-svcWRSSSDK.reg.dat
2009-05-28 23:20:49 . 2009-05-28 23:45:36 2,058 ----a-w C:\Qoobox\Quarantine\Registry_backups\Service_GXVXCSERV.SYS.reg.dat
2009-05-28 23:45:28 . 2009-05-28 23:45:28 12,189 ----a-w C:\Qoobox\Quarantine\Registry_backups\tcpip.reg


Online Kapersky shows:


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Friday, May 29, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Friday, May 29, 2009 01:43:03
Records in database: 2268170
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan statistics:
Files scanned: 228060
Threat name: 2
Infected objects: 1
Suspicious objects: 1
Duration of the scan: 03:19:56


File name / Threat name / Threats count
C:\WINDOWS\system32\rn.tmp Suspicious: Packed.Win32.PECompact 1
F:\FS2004\Sim Upgrades\Ultimate Traffic (2007)\Ultimate Traffic 2007.iso Infected: not-a-virus:AdWare.Win32.EShoper.ab 1

The selected area was scanned.

shelf life
2009-05-30, 16:04
combofix removed a driver. you should be able to run Malwarebytes now.